CTFZONE Quals 2024 | Youtube Unlock & Youtube Unlock Revenge (GGC Exploit)

Difficulty : Easy to Medium

I solved these two tasks but I don't understand them very much, sorry if there are any inconsistencies.

Youtube Unlock :

Let's start by reading the code to understand the task.

/app/nginx/nginx.conf :

worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;
    
    keepalive_timeout  65;
    
    server {
        listen       80;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen       4431 ssl;
        ssl_certificate /cert.pem;
        ssl_certificate_key /cert.key;

        location / {
            return 301 https://blocked.org.uk:443;
        }
    }

    server {
        listen       4432 ssl;
        ssl_certificate /cert.pem;
        ssl_certificate_key /cert.key;

        location / {
            return 301 https://www.youtube.com/watch?v=WIRK_pGdIdA;
        }
    }
}

stream {
    map $ssl_preread_server_name $proxy {
        youtube.com              backend;
        www.youtube.com          backend;
        default                  backend_default;
    }

    upstream backend_default {
        server 127.0.0.1:4431;
    }

    upstream backend {
        server 127.0.0.1:4432;
    }

    server {
        listen 4430;
        ssl_preread on;
        proxy_pass  $proxy;
    }
}

/app/dpi/dpi.py :

import socket
import select
import os 

def server_connection(dst_ip, dst_port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((dst_ip, dst_port))
    return sock

BUFFER_SIZE = 140

dst_ip = 'nginx'
dst_port = 4430
srv_port = 443
sockets = []

srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

srv.bind(("0.0.0.0", srv_port))
srv.listen(3)

print(f'listening connection on port {srv_port}')

sockets.append(srv)

while True:
    socks,_,_=select.select(sockets,[],[])
    
    for sock in socks:
        
        try:
            
            if sock==srv:
                print ("sock : " +str(sock))
                print ("srv : " + str(srv))
                buf ="empty"
                client,_=srv.accept()
                print(f"new connection")
                sockets.append(client)
                server=server_connection(dst_ip, dst_port)
                sockets.append(server)
                buff=sock.recv(BUFFER_SIZE)
                print("buffer : "+str(buff))
            else:
                buf=sock.recv(BUFFER_SIZE)
                if b'youtube' in buf:
                    print('BAN!!!')
                    os.system("echo BAN > ban.txt;")
                    continue
                id=sockets.index(sock)
                if id%2==1: 
                    if len(buf) == 0:
                        sockets[id].close()
                        sockets[id+1].close()
                        del sockets[id]
                        del sockets[id]
                    else:
                        sockets[id+1].sendall(buf)
                else: 
                    if len(buf) == 0:
                        sockets[id-1].close()
                        sockets[id].close()
                        del sockets[id-1]
                        del sockets[id-1]
                    else:
                        sockets[id-1].sendall(buf)
                        print("success")
        except Exception as e:
            print(e)

The nginx server hosts 2 servers each one under a service name, accessing the server normally will result to a redirect blocked.org.uk, what is needed is to use the Service name youtube.com to access the youtube video that will probably contain the flag.

So now checking the python code, we see that it acts as a proxy to our nginx server, it will block every request containing the string "youtube", but since it's case sensitive we can just bypass it by using "Youtube.com" instad of "youtube.com".

So now how do we do this ?

First we intercepted a request to the server and put in repeater.

Then you got edit target and change the check override SNI and enter Youtube.com

After it we follow the redirection and get to a youtube video

This video will contain the flag.

Pretty easy stuff

Youtube unlock | Revenge :

The second challenge is almost the same thing but with a little change to the files.

/app/nginx/nginx.conf :

worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;
    
    keepalive_timeout  65;
    
    server {
        listen       80;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen       4431 ssl;
        ssl_certificate /cert.pem;
        ssl_certificate_key /cert.key;

        location / {
            return 301 https://blocked.org.uk:443;
        }
    }

    server {
        listen       4432 ssl;
        ssl_certificate /cert.pem;
        ssl_certificate_key /cert.key;

        location / {
            return 301 https://www.youtube.com/watch?v=WIRK_pGdIdA;
        }
    }
}

stream {
    map $ssl_preread_server_name $proxy {
        youtube.com              backend;
        www.youtube.com          backend;
        default                  backend_default;
    }

    upstream backend_default {
        server 127.0.0.1:4431;
    }

    upstream backend {
        server 127.0.0.1:4432;
    }

    server {
        listen 4430;
        ssl_preread on;
        proxy_pass  $proxy;
    }
}

/app/dpi/dpi.py :

import socket
import select

def server_connection(dst_ip, dst_port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((dst_ip, dst_port))
    return sock

BUFFER_SIZE = 140

dst_ip = 'nginx'
dst_port = 4430
srv_port = 443
sockets = []

srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

srv.bind(("0.0.0.0", srv_port))
srv.listen(3)

print(f'listening connection on port {srv_port}')

sockets.append(srv)

while True:
    socks,_,_=select.select(sockets,[],[])

    for sock in socks:
        try:
            if sock==srv:
                client,_=srv.accept()
                print(f"new connection")
                sockets.append(client)
                server=server_connection(dst_ip, dst_port)
                sockets.append(server)
            else:
                buf=sock.recv(BUFFER_SIZE)
                if b'youtube' in buf.lower():
                    print('BAN!!!')
                    continue
                id=sockets.index(sock)
                if id%2==1: 
                    if len(buf) == 0:
                        sockets[id].close()
                        sockets[id+1].close()
                        del sockets[id]
                        del sockets[id]
                    else:
                        sockets[id+1].sendall(buf)
                else: 
                    if len(buf) == 0:
                        sockets[id-1].close()
                        sockets[id].close()
                        del sockets[id-1]
                        del sockets[id-1]
                    else:
                        sockets[id-1].sendall(buf)
        except Exception as e:
            print(e)

The key difference is now file upload is allowed on the server and secondly the server will require a pair socket id. To ensure we get two sockets in our request, we can upload a blank file so it would queue the file transfer in the socket queue.

so again with the same.

and for our request.

we get the flag appended to the youtube link.

I didn't understand this challenge very well, it tried this and worked, what I wrote here is me trying to understand why it works, so sorry if I'm wrong in some points.